By Kayla Olaya and Kate Aubusson
One of Australia’s largest IVF providers has sought to suppress how sensitive medical and personal information for potentially thousands of its patients was published to the dark web by cybercriminals, as victims seek to launch a class action.
Genea, the country’s third-biggest fertility clinic operator, informed an undisclosed number of patients that their private information had been published on the dark web in February after its internal systems were breached.
One Genea patient, Dean*, described the breach as “emotionally devastating”.Credit: Flavio Brancaleone
Stolen data included patients’ full names, dates of birth, addresses, mobile numbers, treating doctors, medical diagnoses, Medicare numbers and private health fund details, Genea revealed to patients in emails.
Australian Federal Police are conducting a criminal investigation into the breach.
Genea has sought suppression orders in the Federal Court to prevent disclosure of details regarding its containment and remediation measures and its negotiation strategy, and the identities of its cybersecurity experts.
Class action law firm Phi Finney McDonald is investigating the circumstances of the data breach after being contacted by several distressed current and former patients.
Principal lawyer Tania Noonan said: “Patients at Genea are entitled to the highest levels of privacy and safety to ensure their personal details and medical histories remain secure.”
One Genea patient, Dean*, described the breach as “emotionally devastating”. He wishes to join a potential class action and wants punitive action taken against Genea.
“If I could think about any part of my life that I would not want to be available to download on the dark web, it would be my medical information and more poignantly, my fertility information.”
“It’s made me feel really icky to know that ... our entire medical and fertility history is available to purchase by anyone who wants it,” he said.
In a statement, Genea said it sincerely apologised and deeply regretted that personal information was accessed and published.
“We are committed to learning from this incident, and we have taken steps to further strengthen our networks to ensure that we can continue to provide the very best care to our patients,” it read.
Genea obtained an injunction to prevent any access, use, dissemination or publication of the affected data, to protect the information of its patients, their partners, and staff.
In a hearing last month, Genea’s counsel argued that if the company’s containment and remediation measures were made public, it would invite hackers to exploit its systems further.
NSW Supreme Court Justice Michael Slattery agreed that it was important to suppress personal and medical information of affected patients.
But, Slattery said: “There is a public interest in knowing about this kind of problem and … how it is dealt with.
”I’m not convinced that information [about] your clients, employees or your client’s internal operations should be suppressed,” the judge said. “I’m not convinced that the identity of the cybersecurity experts you have retained … [and] that your containment or remediation measures should be suppressed.”
“I may be persuaded that your negotiation strategy with the threat actor should be suppressed if there’s evidence that there are ongoing negotiations,” Slattery said.
The suppression orders, directed at the hackers, are supposed to stop them from disseminating the information they stole.
But since Genea doesn’t know who they are – and cannot tell them that the order exists – such an order is intended to prevent other people from downloading the information and sharing it, and has been used in earlier cases of cyber breaches.
Former patient Daisy* said patients had a right to know what measures Genea had in place to protect their patients’ information and the actions it took once the breach was identified.
“Why aren’t we able to know whether or not they had the right security in place to protect our personal and sensitive information?” the 34-year-old said.
“You go somewhere like this, never thinking your information would be released,” she said. “I’ve spoken to so many women who have said, ‘I have chosen not to share our IVF journey’.”
Two patients affected by the breach are now considering moving homes due to the sensitive nature of their work and the danger posed by having their address and other personal information shared on the dark web, where criminal actors can access it.
Josie*, another patient wishing to join a potential class action, had undergone extensive treatment with Genea over four years.
“They will have a huge amount of information, genetic test [information], various medical tests, [and] sociodemographic information,” she said.
“There will be children who have been born using donor eggs, donor sperm or donor embryos – and all of that information will presumably be out there. So it’s not just information about the parents involved.”
Genea has established a call centre to support patients whose data had been breached.
Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.